EUDI Wallet - Critical Success factors for Digital Single Market and Private Sector Use

This European digital identity wallet, the new kit on the block, I'll try to give a few viewpoints. Nothing is cast in stone. If you followed a little bit, we are in for quite an interesting right for the coming one and a half, two years, or even longer before this animal will stabilize. So let me give you some of my personal views.

Firstly, a quick, fast forward for those who read the I R F, the architectural reference framework, A nice little picture with some standards in it, but for me it's a good guidance of what they are trying to build and how they try to fix something interoperable. But it's just a reference for what they call the large scale pilots. What is guiding in this whole environment is regulation. So what is important, whatever technicians might invent, making sexy wallets, inventing new protocols, et cetera. It's all in regulation.

And where some people only read the regulation, let's not forget that next to the regulation there will be a lot of implementing acts, which still also need to be stabilized, which say how it can be implemented or must be implemented between member states to be interoperable. This A R F, the version 1.0 was impossible to find for private sector, which in itself is an interesting thing. The regulation says it must be used in public and private sector.

And I'll come back again to some sentences in regulation that says it'll be obligatory to be used by certain sectors, which is fun if you can read the different versions of the IDAs regulation or the i f, but I believe the current version of the IDAs regulation, the tri log version, so the one who is discussed between the parliament, the council, and the commission, I believe you can find it. And otherwise there is a public link somewhere on my LinkedIn. And secondly the A R F version 1.1, it's landed somewhere on GitHub.

So you can also find that one these days, but you need to know where to find it, which in all cases for me is quite interesting because again, it will have an impact and in my opinion, a gigantic impact on private sector because how many times a year do you interact with public sector, with the government? With the government, more than five times a year. Anybody?

Okay, well to do your tax declarations or something like that's vo. Okay, so how many times a day do you interact with a private sector to do a payment or something like that? I think a little bit more. So I really want this to work.

Secondly, for those who think that things are stable, if you go to this ARF 1.1 made April this year only, there is a nice chapter called chapter eight, which links to the long list of things they still have to solve. If you see that, it gives you a pretty good idea of what has to be solved. But let's not be negative. It's like the glass is half full but still half empty. And what do you want as a private sector company? Certainty you cannot invest in something if you're not certain what it will bring. So I'll get into that. A quick disclaimer.

I've been working a lot in the domain of trust services and digital identity in the last 23, 24, 25 years. I have some gray hair. I helped to write a blueprint of the Belgian electronic ID card. I helped to do, introduce electronic signatures at the Flemish government. It's a a part of of Belgium, half Dutch, half Belgian. So I've got an identity crisis on top of that. I've got a French diploma. So how do I fit that all in the wallets? Do I take the French wallet, the Belgian wallet, the Dutch wallets will be an interesting use case. I worked for the commission on certain projects.

For example, European self-sovereign identity framework pilot at current working for a systemic bank, part-time and part-time for a government involved in this picture. But all of this, what I will present in the next slide, it's my general and my own opinion, but based on certain experiences. And so quickly going into that, I think first of all before you read, AI does version two. You need to understand AI does version one. It has two chapters which return the trust services, which I'll very much simplify.

It's about electronic signatures and those kind of things, which has been really, really stabilized in version one already. If you look at the number of sun and SSI standards, which go in extreme detail, there is a lot already in place E identity. It was there. But the problem is try to log in with my Belgian identity to, for example, a Spanish or a Dutch service provider. For example, if you do cause board business because my slides about business and I do a part-time job cause board and I need to do a tax declaration from for example, the Netherlands to Belgium or vice versa.

When I log in with my Belgian id, which is clearly an identification means under AI, dus, and I log into the Dutch, they will say, okay, I recognize you. Belgian is saying, but what is your B as N, your broker service number in the Netherlands? Me problem?

Eh, there is no identity linking the other way around. If you log in with your dodged DK into Belgium system, they will say, okay, you are a print princess. I dunno what. And you log in and they will say, okay, what is your national registry number in Belgium? Because that is how the tax office works, which is the most important one because they make sure the state does not go bankrupt. So we have all kind of problems. These different identity means are not interoperable, okay?

They have built this AI dust network to work in between, but it has all kind of limitations because it can only exchange a minimal dataset. So if you do a cross border authentication, you've got a lot of ping pong between the different member states, which you don't want because you need to upgrade all of this. If you have new use cases at this moment in online authentication, you can log in from one country to another.

But if you want to send more data like a birth certificates or a mandate or approve of the of being insureds, it's all not possible because the infrastructure is set up to cover identification basically full stop. And if you want to extend it, you need to extend all the AI dust nodes across Europe, which is a pain. So Dan came along the commission with this new idea. Let's have an updated AI dust so that every citizen in Europe will have a wallet. That wallet will help them to identify, authenticate, sign, and present all attestations. So the signature part honestly for me is nothing new.

It is, it was there. It is there. It will maybe improve on certain points, which were not well written down or not well elaborated in the previous version.

But the first big change for me is identify and authenticate why many people might not notice it, but the identification means under ida's version one where basically authentication means you authenticated cause board, you did some kind of strong authentication or substantial level of authentication cause border, but it was not identification like showing your passport or your identity card or digital travel credential or something like that. Where you had to have like, well, I would say passport grades identification.

So for me, there is a difference, which to my personal opinion is still not well elaborated in the text, but it's important to you look at the use cases AI's version one was online only. And sometimes I will say some things very black and white, forgive me, but impossible in half an hour to explain all the colors about this. And then even then multiple people might have different opinions. That's why I guess we are here and have coffee breaks to discuss even more. So that is one part.

You will have a mobile device basically, okay, you can have cloud wallets, but in most cases people consider that it will be on a mobile wallet. You can use your mobile wallet not only to do online authentication but also to do offline identification. Big difference in those cases. And the other one is present attestations, because how many documents do you have to exchange these days if you, for example, want to open a bank account or show you have a mandate on a company or that you are insured or whatever, you have to show it, okay, assign pdf. Nice.

It's already better than nothing because frauding with paper documents or hand signed wet signed paper documents or PDFs which are scanned, it's easy. But electronically signed attestations that becomes a real problem, becomes really difficult to, to do that. So if we want to go towards this A E U D I wallet, which every country needs to give to the citizens, how they do it, it's up to the member states they have to provide an A wallet to their citizens. It can be that the government issues a wallet.

It can be that the government recognizes 1, 2, 3 providers that can provide a wallet, but it's I think less about the wallet. Okay, the wallet is important, but it's what you put inside wallets, like what you may be heard in other presentations, the P I d personal identification data so that you can prove your identity, your age, your address, those kind of things. Or whether it's not a station like this is my diploma, this is my driver's license, et cetera. But it's always a balance between benefits and risks.

Because how many of you have a fully patched smartphone which has, which are sure that has a secure hand cleve or a secure element inside where your crypto keys are in a chip. How many of you are sure about that? Hmm? What do mean? Sure. What do you mean? Sure. Okay. How many of you have, can I do politically incorrect statements here? Absolutely. Yes. Okay. Good Conference. How many of you have a have a non-European device, mobile device? Any of you have a secure European device? 100% European chips? No. Okay. Yeah. Aren't we? So a bit of Chinese US chips, et cetera.

Ah, some US chips Sharing everything with everyone. Yeah, But it's maybe Russian antivirus with some Chinese camera and some US crypto chips. Good luck. Good mix round.

Okay, good. So that's another debate on another level has sovereignty, European sovereignty, it's a nice topic for the cabinet briton to elaborate, but we'll not go as far as that. We'll just look at a private company. What do you want as a company? I already said it. You want certainty. Certainty starts with legal framework. If you look at the legal framework as already said, you have a regulation, read it in details and it's still changing over time. Even in the last version I saw I think version six or seven, they kicked out certain texts, they changed it again.

But also important will be the implementing acts. But if you know the implementing acts from Ida's version one, you will know that many things will be taken over. For example, in the legal framework of ida's version one, it was already stated how you can register a person to issue, for example, a signing certificate. It is not so much different to register a person, register his wallet to be sure that there is a correct link with it and that the identity attestations, which are in there are one-on-one links.

So okay, they might fine tune, but if you read implementing act for example 2015, 1502, you will see the general rules of how that should be done and you better prepare because that one will apply also in the identity area. But then you read in the texts like, and you see that some people are protesting that it must be used by big providers on the internet. Well the goal initially was that the Facebooks and the Googles and the Apples could not enforce their wallets on us. And that you need to give to the European citizen a wallet that allows them to authenticate an absurd way with those sites.

But the text has been enlarged. It is now also, for example, and forced on the banks. Do you think it's a good idea or a bad idea? A good one.

Okay, why? Why? Why? Why not? Why not? Okay.

It is, it's on the one hand when you authenticate to a bank, you open a bank account, you know you should look into any mono laundering rules, which really try to establish that you are really sure you are opening a bank account for the correct person. So that means that if I do not do it anymore based on an electronic identity card where there is a chip, we really, really know and there is no tank copies of the chip, you have one identity card or you go to the the branch office and you put your passport. We will now put that on smartphones.

How many percent of those smart phones do you think are fully patched? The iOS or the Android version is up to date. They bought the latest version of Android or the Apple phone, which has a secure element. Any idea? I cannot give you the digits, but I know what it is. For some serious big banks, it's way less than 50%. That would mean that we force banks to allow these kind of things on an environment where the majority of phones are not secure. I think we're in a great day for a new set of fraudulent transactions.

The second element on that is what does a bank do when you authenticate to them to do a transaction? Yeah, I dunno how strong your limits are at your bank. And most of the banks have this nice feature that in your app you can take credit then up your limits of how much you can pay per day and then do the payments all in one app greater. So if I steal your keys, the first thing, what I will do is take a loan on your name, then I will up your limit from today and sign it. I can do it because I stole your keys and then I I empty your bank accounts.

Nice, nice. Okay. So now I understand why these guys are saying, whoa, whoa, whoa, whoa, whoa. It is interesting. Of course it should help us because it can also help them because if they get attestations from the government that this is your birthday, this is your official address, you don't have all the loans outstanding, et cetera, it'll help the bank. They know that. But if they look at it at how fast in the digital world you can empty a bank account, it's faster. Anybody learned the story about, or listened about the story of what happened in Malta? What was it two, three years ago?

They basically shut down the banking system because the secret service was calling them. If you don't shut down your banking system, now your accounts will be empty by the end of the week. And they had only one choice is to close down the whole financial system of Malta because they had a problem. So little bit going outta scope of course, but here it shows that, okay, we have a great idea, but come on, let's be serious where we can use it and where we cannot use it. And I think nobody is against all of these things, but let's do some risk management in these environments of how far we can go.

Trust framework. People talk a lot about trust frameworks as already said. We have things like commission implementing regulation.

Eric, Eric, break on on new. I have a question coming in then if, do you want the questions at the end or Shall we? Maybe better at the end. Okay. Maybe someone with you.

Okay, great. You have commissioned implementing regulation 2015, 1502, which as set is an existing implementing regulation. My best guess is they will just update it. But it's one of the most important documents I would recommend you to read. People are discussing how should we supervise. We are already supervising what we call certification authorities, qualified trust services providers for years. Now we know where we are goodin, we know where we are, not goodin, it is there in reports on there. We can apply it.

Okay, we can approve again, et cetera. But basis is there. And so one of the interesting things is what will be the minimum level of maturity we ask from our issuers, huh? And from also the the wallet providers, huh? If you as a citizen will get a wallet which allows to access your tax records, change the bank account to where they have to pay your pension, where somebody can get your identity and based on the identity, take a loan based on your identity log into your bank account, what level of maturity would you like for the wallet provider and the issuer of your identity?

You, you want substantial low? Okay? They are discussing that in certain cases you need it. But my personal opinion, I stress this presentation is completely my own opinion is that for many use cases you will need high. And once you have high, okay, you can use it in low use cases, but there is no use to have disorders.

But okay, it's only my opinion, but so from a private sector perspective, you need to look at the legal framework. It needs to be solid. You need to have it as legal evidence. The framework must be supervised that you're really sure how it can be used. And let's not forget by the way that next to everything about AI does itself. You have also sectoral things, eh? So some people are saying, yeah, how will we do that in the social security sector, in the banking sector?

Guys, the commission has since years a database at DG employment of all social security institutions in Europe and what are competent for. We don't need something new there. It exists. We will just put it in a new format. The European Banking Authority has a central database of all payment service providers. We will put it in a new format to be compatible with both legislation of the financial world and of the IDAs world. But it has been there.

So again, I think we are close, but as set on the previous slides, let's look at those concerns. It's not that we are against, but we need to do some risk mitigation or it'll go wrong.

Very, very fast use cases very quickly. If you look at the use cases, there are all kinds of interesting legal and and and business debates and technical debates of how should we do it. But let's look at the reality this morning there was a statement like there are these religious fundamentalistic debates on should we do use OC or do would we use verifiable credentials?

Okay, oc, what was it built for? It was built to like beep offline and have a reader of a policeman or or border control reading your mobile documents.

Okay, that's nice If we want to use this in the private sector, are you going to oblige all shops to have an ocre that's economically not feasible? So not, not a good idea to use OC in those cases, even if it does selective disclosure, very nice, but you cannot oblige simple shops to invest in that. It's way too expensive to do that. Another feature you might want in the, in the financial sector is for example, have dual signatures that you can sign the attestation for example, we confirm that you have a loan or you have sold something.

In those cases, those attestation need more than one signature. It's not supported in anoc full stop. Are we going to try to fix it? It's like putting a a V6 engine into a vu.

Okay, you can try to do that, but not sure that that work will work. Verifiable credentials, okay. There are quite some use cases which have been presented at supported, but verifiable credentials. The existing implementations are quite good in an online environment these days they are already being tested in diplomas in social security, et cetera. But they have not so much ground in the offline world. So let's accept that reality.

Use one standard in the offline world, another standard in the online world and have it pragmatically so that you can really have the best of both worlds in the wallet. And the wallet in that case will need to support maybe one or two or even three standards at the same time. We can have a lot more discussion on it.

But I think looking at use cases for, for example a bank bank, are we talking as mentioned in the legal part already, are we talking about identification to open a bank account on the money laundering regulation or are we talking about strong customer authentication as they mention it in payment services directive too? It's a gigantic difference. And then we can talk about electronic signature, which is yet another functionality or are we talking about your exchange of attestation? You need to look at the use cases and then you can look at what current technology can provide.

Luckily my personal interpretation is that in the a f, we have sufficient over two sufficient bandwidth at this moment to do all these use cases. I think none of them will win. I think it will be these standards will, which will need to support different things altogether to make it work. Privacy is of course an important aspects. There was a lot of discussion on unique identifiers. How will you do that? There are different options. Certain countries like Austria and the Netherlands already have strong systems with pseudonyms. But these are national mechanisms.

In the future we will need to have more open systems and in certain cases you don't need pseudonymity. If I authenticate to a police officer or to the border control or I check into an airplane, there is no privacy. They don't want a terrorist in your airplane. That's quite clear. In other cases, when I need to prove that I'm above 18, I need it. For those people who are more technical, we can have a discussion where we use dds, digital identifiers or in, in, in that world. Like the SSI world or are you more for implementations based on on web odds?

Depending on how long your certificate or registration will live. Huh? Some countries are saying, I will give you an attestation for three months, six months, 12 months that you're older than 18.

Okay, nice. But in certain cases you can do it on the fly, then your attestation will be developed for maybe one minute and gone. But in all cases, let's take the picture in the middle. We are all thinking about, oh, we are going for this distributed infrastructure which will be much more safe. But where will your data stations come from? Which are put in your wallet From databases? Huh? Especially biometric databases, huh? Because there's certain other stations we need photos or fingerprints, et cetera, in exceptional cases.

So okay, a wallet will help that. It's much more portable and you will be able to go around and you will be able to choose what data you deliver with other persons. But that does not, how do you say that? Like in in in church you get Absolut or how do you say that? Forgiven. Absolved. Absolved for the fact that there still is a problem of authentic sources databases, which still has information about a lot of people. And I think if you google on ARA what they had in in India, it'll give you an idea and the wallet does not solve that problem. The wallet solves that.

It cannot track you what you can do, does it? So we are talking a lot about selective disclosure. I will give you only my age. Nice. What? What do I do that with my device? Two elements. If I do it in Amdoc, you know, or an SD G B T here. So the people don't accuse me of being against amoc in SD gbt. If you look at the format, okay, I can disclose only my age, but the base element, the hash is always the same. So that means that even if I only give one attribute, the value of the credential that I share is always the same as the hash.

Secondly, what's my IP address? What's my email number? What is the profile of my mobile phone? The relying party you talk with will see all of that.

So okay, let, let's take it with a grain of salt. I know I have only one minute to go or something like that. Questions waiting.

Okay, Good, good, good, good. But they have to come to the drink Very quickly. Two slides, more security. So one of the biggest problems where we talk a lot about is hold wallet binding. Okay? If I have my diploma in my wallet or my driver's license, maybe it's not so important to bind it strongly to my wallet because in my diploma will be Eric Zurin and those kind of things I will never do. Selective disclosure of my diploma, half a diploma does not make sense. I need to give my diploma or something like that so they can check if it's really Eric Zurin in front of them for example.

However, in other cases, I really need to be sure that a person who says that he or she's older than 18 or living in the city of Berlin is really the one behind the wallet. And we don't have these situations like with the covid wallets, key protection. There are some slides from the French on the security of wallets, but I already given you my interpretation of how well our made in Europe wallets are disease of mobile devices. So we really have a challenge there. I think we can go far with strong customer authentication if we can go as far as that with identification on the grid of passports.

Personally I doubt it. And two items more.

One, this is a nice example, if you lose your wallet, how do I get my identity back? Yeah. Because basically they will take everything. So we need to solve that. So clearly Rome was not built in one day and if you read the i f, there is still a lot of doom, a lot of potential. So don't get me wrong, I think there are a lot of very positive things we can do with that. We can fight fraud, forge documents, et cetera. But we are not out of the woods yet.

Eric, thank you very much. Great presentation, great insights. I think a lot of stuff to discuss. The sun is shining. There is Beer and there's beer and whatever. I'm not sure. Not sure. I think it's still coffee. Okay. Probably. We have a lot of questions. We are a bit out of time. So as we will do with other sessions as well, we will hand over the questions to you. Okay. He can provide a written response.

We will put the responses back into the app so that the people have been asking the questions can look at us and also the people who look at the app, they'll see the responses to the questions. That will take a bit until, okay, everything is done. But it will give you all the opportunity then to also look at questions and responses that came in For the people who are physically here. If they have one of two questions, we take them quickly. We can Take maybe one question from the audience.

Thirsty, go ahead. We always know the ones who are asking questions right now, are they one between everyone on the coffee? But anyway, we take a question. It's a bit like it's cool when the bell is ringing, you know? Yeah. Those who Are thirsty, please add So many And otherwise we see each other in the next two days. I have one question. You just referred to mobile security and to the mobile phone only. If we look in the, for the key management, we have three possibilities. One is a smart card. Okay? Not the best option for mobile.

We have relying on mobile and we have using an external hsm. If I use an external hsm, I'm not really rely on security of my mobile phone. Not in the so much like you emphasized. And I don't rely on Korean, Chinese, and American hardware where we all can think about how secure is it because this is what we can't control also if you use an Java outlet, et cetera, to protect the secure element. So my question to you, is there a reason why you referred so much? Why you emphasized so much? Only the mobile security? Put your keys on the mobile phone instead.

Also using an external HSM where we have F ten four nineteen, two four, one, existing standards for certification, etc. To, to protect our keys. Okay. Quick answer.

And again, the sun is shining and we can continue over a drink, but inherently, like if we, I I'll put it really black and white, huh? If you put keys in a smart cart in a chip, you know it's there only there and can never get copied. I know that in the context of remote electronic signatures, Etsy has done a lot of work to put your keys in the clouds and have them secure there in let's say towers or something like that as a European provider.

But still the activation of your key in the cloud is done by a mobile phone or by a web agent that you have locally with you because, and that means that whatever you have on your mobile phone to activate your keys in the cloud must be damn good or you have another problem. Okay, great. A lot of questions. Easiest thing, meet with Eric and or put the questions into the app. As I've said, we will try to get all speakers to respond to their questions and put their responses back into the app so that everything is available also on the app. Thank you very much.

Eric, raise your hands again please.